Auto Intune Enrollment - Only for selected user (IE none) but still being auto enrolled?

Question

Auto Intune Enrollment - Only for selected user (IE none) but still being auto enrolled?

Jonathan Telling 20

Hi All.

I've been doing some testing of a few things (see my old post) and I'm confused by the following:

I created a VM in Azure, Windows 11 Ent. This VM was not enabled for AADLogonForWindows (Login using Entra ID) as I'm wanting to do some testing against a test tenant (IE a different tenant from where the subscription is connected ).

I logged into the new VM and AAD joined it to the test tenant, all good and as expected.
The new VM now has an AAD joined device and is Intune enrolled.

My next testing is to do with enrolling in Intune in a different way, outside the Auto enrollment.
I changed the MDM auto enrollment settings from "all" to "some" and selected an empty group that I'll use later.

I then unenrolled the device from AAD/Intune (locally from the VM not from the portal). All good, no devices for the test VM to be found.

I then AAD joined the VM and it still auto enrols in Intune.. At first I thought this was a time issue (not giving Intune enough time to replicate the settings around) and so I tested it again around 2hrs later and it still auto enroled...

Am I doing something wrong, or is this just lag time in Intune?

3 answers

Your answer

Answer 1

Crystal-MSFT 53,086 Microsoft External Staff

@Jonathan Telling, Thanks for posting in Q&A. From your description, I know we have changed the Automatic enrollment from All to some. But the device still auto enrolls into Intune.

Here I have some suggestions:

1, For the MDM auto enrollment, please confirm if we change it under MDM user scope of Microsoft Intune. Please change to none to see if the result will be different.

https://learn.microsoft.com/en-us/mem/intune/enrollment/quickstart-setup-auto-enrollment#set-up-automatic-enrollment

2, When unenroll the device from Intune and Microsoft Entra ID, please ensure the devices records in both Intune and Microsoft Entra ID portal are removed. In addition, please clean the enrollment registry information under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments.

In addition, please check the device information on the device side Setting->Accounts->Access work or school, to see which account has info button which means enroll into Intune and confirm if it is enrolled into the previous tenant or IE tenant.

Please try the above suggestion and if there's any update, feel free to let us know.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Jonathan Telling 20 Reputation points

2025-01-22T14:06:23.09+00:00
I've double confirmed that the MDM user scope was set to "some", I have now changed it to "none" and still the same outcome.

I created a new VM for testing (no old reg entries) and still the same outcome.
I also, just to make sure, created a new user account and granted this account the rights to join devices to AAD. Still the device was joined and auto enrolled in Intune, I had to assign a license to the test account as well as I was getting an error regarding the MDM terms of service URL (a good indication before completing the join process that the device is still trying to auto enrol).

Error when joining device before assigning a lic.
Jonathan Telling 20 Reputation points

2025-01-22T14:16:28.73+00:00
I had replied, but seem my reply isnt showing.

I confirmed that the MDM user settings where set to "some" but for testing I changed it to "none", still same out come, see below.

To avoid any stale/old information from the old VM interfering I created a new VM and tested again from the new VM.
I also created a new AAD account just for this which was only granted the permissions to AAD join devices (no other RBACs at all).
I did notice that until I assigned an Intune lic I would get the below error message, which suggest autoenrolment is still active even while it is disabled.
After joining the device to AAD the device was enrolled into Intune.
Crystal-MSFT 53,086 Reputation points Microsoft External Staff

2025-01-23T02:24:33.8066667+00:00

Hi @Jonathan Telling, From your description, I know the MDM user scope is already set as none. But the Intune auto enroll still triggered when do Microsoft Entra Joined. That's strange.

For your VM, was it Azure virtual desktop? If yes, please ensure "Enroll the VM with Intune" is not enabled when we deploy the VM.

https://learn.microsoft.com/en-us/mem/intune/fundamentals/azure-virtual-desktop

Meanwhile, for license, we just only assign Intune license and don't assign Microsoft Entra ID premium license to see if it is different
Crystal-MSFT 53,086 Reputation points Microsoft External Staff

2025-01-27T02:30:12.1233333+00:00

Hi @Jonathan Telling, How's everything going? Could you confirm the above information to let us go further? thanks!
Jonathan Telling 20 Reputation points

2025-01-30T10:02:57.68+00:00

Sorry for the later reply, the testing VM is just a normal VM not an AVD. I'll do some testing around the P1/2 and E5 lics and see if that changes anything, as it is very strange! :) PS sorry for the double comment reply, I thought the forum had glitched and didnt save my reply (so I replied again).
Crystal-MSFT 53,086 Reputation points Microsoft External Staff

2025-01-31T02:24:33.0633333+00:00

@Jonathan Telling, Thanks for your confirmation. And for the reply, it's OK.

From your description, it's not AVD. But a VM in Azure, I want to confirm if it is VDI. If yes, it is not recommended to use Intune to manage on-demand, session-host virtual machines, also known as non-persistent virtual desktop infrastructure (VDI).

https://learn.microsoft.com/en-us/mem/intune/fundamentals/windows-10-virtual-machines

Answer 2

I've managed to stop auto enrolment into Intune when adding a joining a device to the AAD tenant.
From the portal I searched for "mobility (MDM and WIP)".
Which has the following:

Microsoft Intune
Microsoft Intune Enrollment

Everything I've read says that the "Microsoft Intune" is the on that is used (also the settings match what is in Intune for Auto Enrolment) but I thought I'll change "Microsoft Intune Enrollment" to test. And that worked, I can no join a device to the tenant without auto enrollment into Intune. All this so I can test manually enrolling a device directly into Intune without duplicate devices being created in AAD. :)

Answer 3

@Jonathan Telling, Thanks for sharing your solution here. In general, The Microsoft Intune setting in the portal is used to configure automatic enrollment policies for devices joining the Microsoft Entra ID (formerly Azure AD) tenant. The Microsoft Intune Enrollment setting specifically controls the initial enrollment behavior of devices. By Default, we will not configure Microsoft Intune Enrollment. Just configure under Microsoft Intune. From your description, it seems the Microsoft Intune Enrollment is configured before and now when we change it, the automatic enrollment stops.